Excel Protected Workbook Known PW Length

[HelmanFrow]

Hi, first-time listener; first-time caller.

I've gone and locked myself out of a spreadsheet.

I first ran paid software called PassFab For Excel in trial mode.
While I didn't pay to get my results, I did note that the password is four characters long and contains only lower- and upper-case letters (I ran a custom brute-force attack). PassFab For Excel returned the results in about 12 minutes.
 
When I realized that PassFab wanted $20 for my 4-digit password I found JtR.

I extracted the file hash using office2john.py (which seems to produce a format that HashCat can use, as well).

I tried JtR in default mode but it doesn't recognize my GPU (Quadro M100M)  for some reason, even after I edited the nvidia.icd file with the location of nvopencl.dll.

Then I found HashCat (which sees my GPU out of the box) and for the last few hours I've been breaking my head over learning the the syntax and I can't figure out which attack to use and how to structure it to search for passwords only 4 characters in length and with the character set I need.

It's probably simple enough but I'm a bit slow on the uptake, and now I'm tired and frustrated.

Please to help.


PS I'm on Windows 10.

[HelmanFrow]

I've had JtR running on CPU at about 290 p/s for about 12 hours in default mode but it hasn't found anything yet.

I'm hoping things will move along faster on the GPU with HashCat.

[HelmanFrow]

Actually, upon closer inspection, it looks as though hashcat can't use my GPU yet.
I'm in the middle of downloading the CUDA Toolkit in the event that I need to install it.
Will I need to install it?

[HelmanFrow]

Still trying to get HashCat working.
Right now it's been stuck on Initializing backend runtime for device #1. Please be patient... for over 20 minutes. I'm not sure if I should cancel or not.

[HelmanFrow]

I cancelled the hung recovery.

Running hashcat.exe -I gives me this:

Code:

S D:\desktop\hashcat-6.2.5> ./hashcat.exe -I
hashcat (v6.2.5) starting in backend information mode

Successfully initialized NVIDIA CUDA library.

Failed to initialize NVIDIA RTC library.

* Device #1: CUDA SDK Toolkit not installed or incorrectly installed.
             CUDA SDK Toolkit required for proper device support and utilization.
             Falling back to OpenCL runtime.

OpenCL Info:
============

OpenCL Platform ID #1
  Vendor..: NVIDIA Corporation
  Name....: NVIDIA CUDA
  Version.: OpenCL 3.0 CUDA 11.4.156

  Backend Device ID #1
    Type...........: GPU
    Vendor.ID......: 32
    Vendor.........: NVIDIA Corporation
    Name...........: Quadro M1000M
    Version........: OpenCL 3.0 CUDA
    Processor(s)...: 4
    Clock..........: 1071
    Memory.Total...: 2048 MB (limited to 512 MB allocatable in one block)
    Memory.Free....: 1728 MB
    OpenCL.Version.: OpenCL C 1.2
    Driver.Version.: 472.42
    PCI.Addr.BDF...: 01:00.0

OpenCL Platform ID #2
  Vendor..: Intel(R) Corporation
  Name....: Intel(R) OpenCL HD Graphics
  Version.: OpenCL 3.0

  Backend Device ID #2
    Type...........: GPU
    Vendor.ID......: 8
    Vendor.........: Intel(R) Corporation
    Name...........: Intel(R) HD Graphics 530
    Version........: OpenCL 3.0 NEO
    Processor(s)...: 24
    Clock..........: 1050
    Memory.Total...: 13036 MB (limited to 2047 MB allocatable in one block)
    Memory.Free....: 1760 MB
    OpenCL.Version.: OpenCL C 3.0
    Driver.Version.: 30.0.100.9865

[HelmanFrow]

I installed the CUDA toolkit and ran hashcat.exe -I.

Now I get this:

Code:

PS D:\desktop\hashcat-6.2.5> ./hashcat.exe -I
hashcat (v6.2.5) starting in backend information mode

CUDA Info:
==========

CUDA.Version.: 11.4

Backend Device ID #1 (Alias: #2)
  Name...........: Quadro M1000M
  Processor(s)...: 4
  Clock..........: 1071
  Memory.Total...: 2048 MB
  Memory.Free....: 1685 MB
  PCI.Addr.BDFe..: 0000:01:00.0

OpenCL Info:
============

OpenCL Platform ID #1
  Vendor..: NVIDIA Corporation
  Name....: NVIDIA CUDA
  Version.: OpenCL 3.0 CUDA 11.4.156

  Backend Device ID #2 (Alias: #1)
    Type...........: GPU
    Vendor.ID......: 32
    Vendor.........: NVIDIA Corporation
    Name...........: Quadro M1000M
    Version........: OpenCL 3.0 CUDA
    Processor(s)...: 4
    Clock..........: 1071
    Memory.Total...: 2048 MB (limited to 512 MB allocatable in one block)
    Memory.Free....: 1728 MB
    OpenCL.Version.: OpenCL C 1.2
    Driver.Version.: 472.42
    PCI.Addr.BDF...: 01:00.0

OpenCL Platform ID #2
  Vendor..: Intel(R) Corporation
  Name....: Intel(R) OpenCL HD Graphics
  Version.: OpenCL 3.0

  Backend Device ID #3
    Type...........: GPU
    Vendor.ID......: 8
    Vendor.........: Intel(R) Corporation
    Name...........: Intel(R) HD Graphics 530
    Version........: OpenCL 3.0 NEO
    Processor(s)...: 24
    Clock..........: 1050
    Memory.Total...: 13036 MB (limited to 2047 MB allocatable in one block)
    Memory.Free....: 1408 MB
    OpenCL.Version.: OpenCL C 3.0
    Driver.Version.: 30.0.100.9865

Everything looks hunky + dorey but when I try to run a recovery on my file it errors out with this:

Code:

PS D:\desktop\hashcat-6.2.5> ./hashcat -a 3 -m 9600 --username hash.txt ?l?l?l?l
hashcat (v6.2.5) starting

* Device #1: WARNING! Kernel exec timeout is not disabled.
            This may cause "CL_OUT_OF_RESOURCES" or related errors.
            To disable the timeout, see: https://hashcat.net/q/timeoutpatch
* Device #2: WARNING! Kernel exec timeout is not disabled.
            This may cause "CL_OUT_OF_RESOURCES" or related errors.
            To disable the timeout, see: https://hashcat.net/q/timeoutpatch
nvmlDeviceGetFanSpeed(): Not Supported

nvmlDeviceGetTemperatureThreshold(): Not Supported

CUDA API (CUDA 11.4)
====================
* Device #1: Quadro M1000M, 1685/2048 MB, 4MCU

OpenCL API (OpenCL 3.0 CUDA 11.4.156) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: Quadro M1000M, skipped

OpenCL API (OpenCL 3.0 ) - Platform #2 [Intel(R) Corporation]
=============================================================
* Device #3: Intel(R) HD Graphics 530, 1408/13036 MB (2047 MB allocatable), 24MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
* Slow-Hash-SIMD-LOOP
* Uses-64-Bit

Watchdog: Temperature abort trigger set to 90c

cuLinkAddData(): the provided PTX was compiled with an unsupported toolchain.

* Device #1: Kernel ./OpenCL/shared.cl link failed. Error Log:

ptxas application ptx input, line 9; fatal  : Unsupported .version 7.6; current version is '7.4'



* Device #1: Kernel ./OpenCL/shared.cl build failed.

Started: Sat Mar 19 19:41:18 2022
Stopped: Sat Mar 19 19:41:21 2022

I'm running a Lenovo ThinkPad P50 20EN with Windows 10 21H2.

What am I missing?

[HelmanFrow]

p.s. I accidentally cancelled the JtR session after a fruitless 16 hours and now I'm back at square 1.

[secpro]

p.s. I accidentally cancelled the JtR session after a fruitless 16 hours and now I'm back at square 1.

Try adding --restore to the command line and it might pick up where it left off.

Given a rate of 291/s, trying all uppercase and lowercase letters should take about 7 hours, if I'm doing the math right.
Note that hashcat will not make it super obvious when it's found; there won't be a popup or anything.
You'll be watching the 0/1 line and see when it changes to 1/1.

[slyexe]

geezus man, you're pretty impatient. Your first attempt at cracking your password would have been fine if you didn't keep installing drivers ontop of drivers. Just use the damn OpenCL driver that would have worked at square one.

Look at the Wiki for your hash.

https://hashcat.net/wiki/doku.php?id=example_hashes

Now look at how your attack will work.

https://hashcat.net/wiki/doku.php?id=mask_attack

So you have your hashmode and your attack mode so now you just need to put it all together.

hashcat.exe -d 2 -m xxxxx -a 3 -1 ?l?u hash.txt ?1?1?1?1

[HelmanFrow]

geezus man, you're pretty impatient.

😂 Guilty as charged, although I'm also tenacious + curious and I have a habit of using threads I've started to keep track of my progress.

Your first attempt at cracking your password would have been fine if you didn't keep installing drivers on top of drivers. Just use the damn OpenCL driver that would have worked at square one.

Whoops.
In my defense, despite my best efforts I still lack perfect information in every knowledge domain so I may occasionally not realize there is an OpenCL driver.

Look at the Wiki for your hash.
https://hashcat.net/wiki/doku.php?id=example_hashes

Now look at how your attack will work.
https://hashcat.net/wiki/doku.php?id=mask_attack

Yup, I pored over those pagers for hours.
Like I said, I'm a little slow on the uptake.

So you have your hashmode and your attack mode so now you just need to put it all together.

hashcat.exe -d 2 -m xxxxx -a 3 -1 ?l?u hash.txt ?1?1?1?1

Aha. Now I understand the syntax a little better.

Anyway, that gets me down to one error code instead of three:

Code:

PS D:\desktop\hashcat-6.2.5> ./hashcat.exe -d 2 -m9600 -a 3 -1 ?l?u hash.txt ?1?1?1?1
hashcat (v6.2.5) starting

nvmlDeviceGetFanSpeed(): Not Supported

nvmlDeviceGetTemperatureThreshold(): Not Supported

CUDA API (CUDA 11.4)
====================
* Device #1: Quadro M1000M, skipped

OpenCL API (OpenCL 3.0 CUDA 11.4.156) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: Quadro M1000M, 1728/2048 MB (512 MB allocatable), 4MCU

OpenCL API (OpenCL 3.0 ) - Platform #2 [Intel(R) Corporation]
=============================================================
* Device #3: Intel(R) HD Graphics 530, skipped

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashfile 'hash.txt' on line 1 (Networ...29650db9647151a349923ea29f76d274): Signature unmatched
No hashes loaded.

Started: Sat Mar 19 20:52:43 2022
Stopped: Sat Mar 19 20:52:45 2022
PS D:\desktop\hashcat-6.2.5>

Any ideas?